Finding Tony Abbott's Passport Number and Entering the Do Not Get Arrested Challenge 2020

welcome back from the break we've got a really great speaker up next um alex spoke actually at epic uh in 2018 about hacking his friend and it was uh pretty entertaining um his talk today is uh i'll get the title finding tony abbott's passport number and entering the do not get arrested challenge for 2020. and this was a an amazing blog post that came out and made him a twitter celebrity yeah so this is uh we saw a bit of a preview of this one so really looking forward to to this talk um so a big round of applause for alex please hello everyone my name is alex uh but you can call me alex with the

double quotes and you might be wondering what's what's up with the double quotes what's the deal with that it's quite simple a few years ago some journalists wrote about a blog post that i wrote and they said according to a post by a hacker who goes by the name alex in double quotes and that's that's my real name so now now my real name is my hacker name enjoy it but if you're worried about me don't be because if you google this which you know i had to google it and find out if you google it you just get this guy i don't know what this guy's deal is but like don't worry about it so if you see

any crimes being done by alex probably this guy i also organized this conference called purplecon which is like a security conference that instead of looking like this looks like this and we did this because like me and a couple of other people did this because we were like oh we always thought that hacking like hacker culture had always been about rebelling or doing your own thing and we're like oh everyone's rebelling everyone's rebelling by doing like this kind of thing but they're all rebelling in the same way we're like oh well it'd be good if we could rebel in like a different way so everyone could like see that they can choose their own way to do it and that's

what we made that's why we made a thing that looked like this also it seemed like a lot of fun and it seemed like you could just you can just make a conference and do whatever you want and no one can stop you if you just pretend like you're adults it was great but professionally i work on the red team at atlassian and before they added incident detection and response but also what does red team mean there's like a lot of different meanings for that don't worry allow me to explain it's very simple uh our job is to hack it lastly and exactly like a real hacker would exactly do whatever they would do and then tell us in all about it because

a real hacker doesn't tell you what you missed and then finally we sell the stolen data on the dark web so that no no no not really not really we don't do that last time we didn't do that last part anymore no no really we don't do it really we don't do that last part i'm so sorry but enough about work let's talk about a fun thing that i like to do on the weekends uh one weekend one sunday i was just hanging out at home drinking water not really doing anything in particular and then i got this message in the group chat and the message is a link to an instagram post if you don't know instagram it's an app

you can look at any time to look at ads and the instagram post uh is uh to a picture of a boarding pass and the message says alex can you hack this man from someone and the man in question is former prime former australian prime minister tony abbott and the link is to an instagram post he made which is this instagram post and it's a picture of his boarding pass for a flight and and he's i've got a caption which is like coming home from tokyo or something i don't know and the i should be very clear that like my friend is asking me why is my friend asking me can you hack this man this is not the kind of group

chat where we all commit cyber treason it's just it's not that kind of chat my friend was asking me because we'd recently been talking about boarding passes and i was saying yeah i think people post their boarding passes all the time on instagram or twitter or whatever because like they don't know that like the avoiding price can be used to get your secret information like your passport or something i didn't really know i just knew it was bad to post your boarding pass somehow people post it all the time because they don't realize it's bad and that's why my friend who has seen this post by former australian prime minister has tony abbott has sent me this message

saying can you hack this man and like i'm just looking at this message and just just to be clear like he's not actually not actually asking me to hack the form prime minister like another not a crazy person who would do that kind of thing he's just sending me this message just for regular normal reasons but like surely you do it like well how how could you not like imagine if like imagine that link is just staring at you like surely click on that link surely you find out like wouldn't you be curious about it like like from my point of view the former prime minister had just posted his boarding pass on the internet

and i was like is this bad is this dangerous i don't know if it is bad someone probably do something about that but i don't even know if it is dangerous and what i didn't know was that the least i could do for my country was to have a quick browse of whatever's on this page and then i was like wait i don't know how to hack boarding passes how do you do this what i said i know that something can happen like it's bad it's public but why is it bad with public what do you what do you do if you have someone sporting class just theoretically and so i was like googling it and i

found this blog post which was like oh yeah the important part about the boarding pass the secret part is the barcode and the barcode has a booking reference which is like the six digit uh code that you type in when you log into a flight and that's the secret thing so then i was like okay so i have to scan the barcode i guess and i tried to scan it with my phone and do like barcode scanning thing but it wasn't working and i zoomed in the picture and it still wasn't working so then i like went into photoshop and tried to like you know zoom in even more like increase the contrast or like make the lines easier

to see in retrospect i probably shouldn't have blurred out the barcode first but if for whatever reason it wasn't working like i still couldn't scan it and i was like i spent like 15 minutes looking at this picture in photoshop and only after that time did i realize that while it's true that the bucket couldn't be scanned the six digit booking reference that i need was also just printed there on the boarding pass and i was like i graduated university and it did not help with this so then i had the booking reference and then i was like okay so i think now now what do i do with this where i put it and so i was like oh i think you

go to like when i've got on a flight you put your booking reference you go to the website and you go to the managed booking screen which looks like this and they ask you for two things ask you for your booking reference which i just had and then the second thing they ask you for is your last name i was really hoping the second thing would be like a password or something hard to get but then i realized that the booking reference is the password and the last name is the username and so i was like oh also i know the last name because it's abbott because it's tony abbott he just posted it on instagram i

know the last name is also the last name is on the board on the boarding pass even if i somehow just found the picture like everything you need is on that boarding pass and so it was also around this time that i started recording my screen which is about to pay off big time

so that's what it was like and at that point i was thinking oh geez that was that was easy that was like i just logged into this page and now i'm logged into former prime minister tony abbott quick reminder i'm not in jail right now nothing bad happens just to be clear anyway so then i was looking at this screen and i was like huh that does say anthony abbott whoever that is and i'm like hmm this is probably not ideal that i can see this but then i was kind of going through the stages of grief and being like well after denial now maybe maybe this is actually fine like yeah i'm like logging into this like log into

this airline thing but there doesn't seem to be anything super secret here it's just like his name is there sure i think there's this frequent flyer number there i'm like yeah whatever that's not a huge deal have some i think i don't really know it doesn't seem like a huge deal so maybe it's fine and so then i looked around some more and it was like yeah this flight had been booked by a travel agent and so i was like oh maybe that's why because maybe the travel agent like you know they don't put all your details in there because the travel agent just books it maybe that's this is a particularly safe version of the login screen that doesn't

have as much information in it but then i was like well not going to give up just because there's nothing on the web page like i'm not just going to trust this webpage blindly i was like i wonder if there's anything else in this page somehow that i can't see and so to find other things i had to find those other things i used an illicit hacker tool and so i'm warning you that it's an illicit i feel like you know this is going but uh to show you the elicit hacker tool i prepared a short video

i'm so sorry you already see that so after i'd done you know uh the page looked like this and i was like looking at the page source of this like random qantas like airline page and i was like yep that looks like a website that looks like html and i was just kind of scrolling around in there randomly trying to be like is there anything secret in here is there anything that's like is there any information here that's not just meant for showing the website maybe you know data that's about this airline booking but it's not being shown on the page for whatever reason and i quickly realized that like scrolling around just looking at it with

my eyes was not a very efficient way of defending my country because it took a very long time and so i was like okay there's got to be a better way so then i could just search in the page for like passport and stuff and i did search for passport and there's a bunch of things that had possible in them but there weren't anything interesting they just like mentioned the topic of passport but i was noticing there was this big json like section where there's like loads and loads of json things in the page and i was like why is this in this managed booking page sometimes when pages can have a whole bunch of like json in them for

non-cyber trees and reasons but i was like what is going on here and eventually one of the things that said passport was this one and it had a bunch of fields like date of birth and issuing country and document number and then after document number was something that looked a lot like a passport number i realized i don't really know what possible numbers look like i don't know what mine looks like and it was kind of vaguely like mine and then i was like that looks like someone's passport number and then i looked at the date of birth and had a birthday and i looked up tony abbott's birthday on wikipedia and it was the same date of birth so

then i was like i think i may be looking at the extremely secret government issued id of former australian prime minister tony abbott uh prime minister of the commonwealth of australia servant to her majesty queen elizabeth ii hmm this this could be bad is what i was thinking is that maybe i shouldn't be looking at this and like for all i know everyone else who saw that instagram post could also be here looking with me because anyone could be doing this and i i can't tell if someone else has done it and then i was like okay well i mean what else is in here while we're doing this like is there anything else in here

who what any other prime minister is queen elizabeth's passport number in here like what else is going on and so i searched for other stuff maybe there's like maybe there's a phone number in here to search for phone and number and like other things that look like a phone number but nothing came up and then i was like well okay maybe the phone number's there but it's not called phone number it's just there randomly like the password number was called document number and so i was like you know i had a galaxy brain moment and i searched for 614 which is the beginning of an australian phone number and that led me to this content

which was a whole bunch of weird uppercase stuff and it did in fact it definitely did have a phone number in there something like a phone number but it also had all these like uh uppercase codes and it was like separated by pipes and i was like what is going on what does this mean and then in there it also had the passport number again which is great uh but then it had like stuff like english someone talking it says like so-and-so called requesting fast track for mr abbott like like a person typed that not a computer and i was like looks like there's people from qantas talking about tony abbott but they're sending it to him when he

checks his when he goes to manage his booking i'm like what is going on here and i'm still like hey there is a phone number in here but there's also like telling them telling people where tony abbott should sit please sit here not here and like saying oh here's the password number again and saying there's this other phone number i still don't know what this other phone number is now and they're talking about the fast track stuff and i was really confused because this doesn't look like the kind of thing that should be in a managed booking page and i was like okay this is some airline code for something all these applications this must mean something

and turns out these are special service request codes when i looked them up and when i looked them up the web page was like warning it's going to be cryptic and then why it was and so uh ssr codes are for things like vegetarian meal or like this person needs a wheelchair or something that's what they're for and so like here's some examples of some ssr cards that i like uh i'm kind of feeling this one passenger with emotional support animal in cabin i'm really glad that's a code because it could happen so that's why they gotta have a code for it so here's a bunch of here's a bunch of the codes that were in this like random

uppercase spaghetti and there was this one fqtv means frequent traveler apparently and qf means qantas it's like the airline code and hk1 means passenger ones hk stands for holding confirmed i i don't know why that's the code for it um this one's this one this one which is about the way to sit tony abbott is like oh this is information for the airport personnel and the one with the phone number was ctcm and i was like what does that mean uh it's ctcm and then passenger one then the phone number i looked it up and it says yep this is where you store the passenger's phone number and i was like hmm okay so that

would be the phone number of passenger one which would be should we tell you abby's phone number hmm this could be bad and then i was like is it actually tony had his phone number maybe it's a travel agent's phone number or something right and so they looked up do they have to have the right do they have to have their real phone number and according to some new law or some new thing in 2019 then yes it has to be the actual passenger's contact number so they can tell them if there's an emergency or a flight change or something so i was like yep that would have to be tony abbott's phone number so then i was like okay this is like

starting to be the kind of situation that may take months to resolve and so i was thinking i just quickly googled it i was like is anyone tweeting about this is anyone else talking about tony over sporting past maybe some some absolutely bozo has done the same thing with me but then also posted about it no no one had was just nothing so for a quick recap uh in my fun sunday afternoon drinking water session i found turning up its passport number and also phone number and also all this airline stuff and it was then that i was thinking like this is not like something i can undo this is kind of just happening now

and here's a quick little window into what i was thinking at the time i was thinking like oh geez this is bad i have 10 years what am i supposed to do now i have to like reset turning up his passport number like it's not even my passport number also can you reset is that a thing like you can reset passports but i don't know and then also is it possible that i've done a crime anyway that's the end of the first act here's a quick intermission okay i'm glad we enjoyed that intermission's over now back to uh in this act i will try to resolve all these problems while not getting arrested i realized that i inadvertently entered

into the do not get arrested challenge 2020. there's also a lot of extremely unsatisfying and boring phone calls with the government in this section which i will not be including in this section because i respect my audience that's right that's you so let's get started the first thing i want to figure out is have i done a crime then i wanted to figure out okay i think i need to tell someone about this so they can fix it reset the passport number do something just tell tony abbott do you have to tell his security team does he have a security team i didn't know and also i want to publish a blog post about this because

you know and then finally i was like well also qantas should know because they probably don't want to be sending me the passport number in the page so i should tell them about it so they can fix it and so that doesn't happen anymore so that's the first thing the first thing i've tried to figure out i kind of did these all the same time but vaguely the first thing was i wanted to have done a crime and i was like well was any of that illegal and to answer that question i would need to know what the laws are and otherwise i don't know what the laws are and so then i tried to read the laws and

this like reading json was fine but reading whoever wrote this is like um and so i'm possibly the furthest thing that there can be from a lawyer so like i wouldn't take any of this seriously if i were you but if you're the kind of person who takes legal advice from conference talks who am i to stop you not a lawyer that's who do not do that uh and i was thinking maybe i should get some free government legal advice i was like maybe i can ask somebody who knows about this i thought to myself legally and so i called up this random government phone number that was like hello we'll give you legal advice and i

asked them like oh i didn't just say hey so i've got here's his passport number because i don't think he's going to do that and so i was like if someone had found the like personal information of a former politician hypothetically possibly or something would that be a crime and the people like they didn't really know which is fair enough because they were like we don't really know about how all this computer stuff works we know law stuff and like that's fair um and so i was like well i need to find a lawyer you know about computers how do i find one i eventually found i initially talked to two separate lawyers who vaguely know about computers and who

told me in terms that were definitely not legal advice but just something that they thought i should know that it's fine probably don't even worry about it and i was like okay great so now i can like tell people about this that good enough for me that counts check i have not done a client that looks like it's checking off that i have done a crime but i really am checking off that i haven't you know what i'm talking about good i'm so glad you know and so then i was like okay who do i tell about this who who cares about this and who who cares about fixing this and who knows how to fix this i don't know

and i know you may be thinking maybe thinking wait but alex do you see that do you see the problem do you see the irony in this you have turned out this phone number right there so you could just you could just call you and then they're like no you can't just do that because like honey abbott didn't like want me to have his phone number presumably because he didn't like give it to me he just put it in this webpage and like if it was an emergency or something like if something if something was gonna happen in the next like one hour unless he heard about it then sure i probably would have done it but like otherwise i

feel like this is not the like polite thing to do when you're trying to tell someone about a security problem also there's this like thing that happens which i'm sure none of you have ever had happen to you where you're trying to report a security problem to somebody and you're saying hey like there's this problem with your security and they say oh i see so you're a hacker and you're trying to hack me and this is blackmail and you're ransoming things and like no please i don't want to do that and i really wanted to avoid that on a governmental scale so i wanted to do this the official proper nice way where no one thinks i'm trying to blackmail

them and so obviously i went to tony at his website to the i was like you have to contact me form and he does he has this form where you can send him anything and anyone can send him anything and i was thinking like he's probably not reading these responses because like people there's probably been quite a lot of like passionate typing into this form on like weeknights by people and so i i don't really i'm kind of imagining like whatever they send whatever they send critical security advisory then whatever i don't think they're going to read it you know and so but then like i was like oh should i bother sending anything but i

decided to send it anyway because like what do i have to lose and the form doesn't even work what do you get standard doesn't work it doesn't send anything and like this is an incredibly effective way of solving the problem of people keep sending me angry emails yeah so then i was like at this point i might as well just call the liberal party and so i did uh found their phone number i was like hey so i wanted to before the security issue i didn't say i didn't say tony abbott to anybody uh i just said like oh with a former politician or something and they were like yeah we don't know i called them and they were like yeah we

don't know about any of this security cyber security stuff uh also if they're a former member we don't we can't help you because like they're not part of our thing anymore and that was the general summary of them the general summaries they're like uh we don't know about any of this stuff have you tried the contact me form on his website maybe you should try that i was like yeah no i've tried the form okay and so you know let's skip a few more calls like this where i call people when they say this and they can't help and so on and so forth and eventually i'm like this is not working or the public access

lines maybe i know someone who knows someone at the government maybe i'd like i don't know the right person to talk to but maybe someone i know have done this not this exact kind of thing before but something like this before and they know somehow who i'm supposed to talk to and so then i i messaged my friend are you in the audience liam there you are thank you liam for letting me message you and i was asked hey what do i do and liam linked me to cyber.gov.u so i knew it was going to be good and this is the website where you can report a security issue with the government but when i went there

it was like hey this is where you report a cyber crime uh if you want to turn yourself in like who have you ever crime to who've done a crime to you or someone you know or a business or a government department i'm like i haven't done it please i don't want to click any of these buttons and so i was like i don't know if i want to do that liam geez and then i feel like really liam should say this type i guess i'm going to say it and then liam said these things which was oh yeah it's hard if you know what you're doing on this website because it says cybercrime worst case scenario i've called them

once and had a positive experience 1 300 cyber one i wish i was joking in brackets and he was like call 1-300 cyborg and i was like i'm extremely going to do that like i'm definitely going to call this number if it's really what like i guess i could have like asked is this a joke because like maybe i'm being epically trolled by liam i don't know but like i am going to call this number and i extremely did this very real number and i called them and i was like hey is this one three hundred side one and they're like yep one three hundred side one one they didn't say that but i wish

they did um and i mean i would if i was answering the phone and they were like uh i vaguely explained hey i wanna report a security issue but no it's not with a website it's more like with a person and they were like okay uh here's an email address that you can email where we will like someone will talk to you about this someone from asd and i was like oh okay great you can just put the email address on the web okay whatever i'm happy to call the number uh in fact overjoyed to call 100 cyber one at any time i assume it's 24 hours uh and so i did email this email address and i was like

hey uh fountain of the passport number is publicly exposed sorry for clickbait subject line but it's kind of true and they replied like instantly which is great and they gave me that sec dlm equal sensitive in the top which is how you i knew i made it big no longer unclassified and they said hey thanks for the email about the potential exposure and i was like okay all right i get it potential exposure can you tell us more about this blah blah blah and i was like yes i can extremely tell you all about it i told them everything and they're like cool thanks we're doing it and the conclusion of that whole emailing thing is

they were like anyway we've engaged with the department of prime minister and cabinet and are doing an investigation we are never going to tell you anything about this ever again thanks for your help though kiddo keep it up citizen we got this from here and like fair enough uh and i was like hey can you give me permission to publish a blog post and they're like no we don't know we don't know how to do that like we don't have that we can't give you permission and also we don't really know you can try emailing this government email address they didn't apply and but like close enough that counts they've they've got tony have this

passport number now they can asd it's in asd's hands now they got this and so that brings us to the next part which is okay what about qantas um they need to know about all this as well and so i eventually found uh an email address for qantas i originally couldn't find the security email address so i had to call some phone number because that was the only thing i could find was about security and the person was like no this is like airport security like at the airport i was like oh what do i do for physical cyber security i want to report a thing and they're like email this email security app and i was like okay i'm so

sorry i should have just checked that uh anyway so i did that and i told them all about it in the issue and they were like hey thanks for reporting this been forwarded to the internal team we're working on this and then i never heard from them ever again and i was like oh okay that's sad and i was like hello after months i was like hello i missed you what happened hello are you there like what's going on with the security thing but they also didn't apply and it turns out they i mean i don't know what happened maybe they were just leaving me on red savagely but it uh they probably have a i think the

reason they didn't apply is because qantas was kind of having a bad time at the time with everybody getting laid off and stuff and i was like oh that's fair enough if the whole world's kind of shutting down right now that's fair and i was like well how long am i how long should i give them to like reply to me or fix this bug eventually i started talking to somebody else who worked there in their like media department so i had a contact there who was telling me how i was going but i was like well how long are you supposed to give someone to fix a bug like how long are you supposed to like

how long before i disclose it publicly should i should i give them and usually 90 days is what i've seen people do and i was like well should i give them 90 days by the time i was thinking about this it had already been way more than 90 days but i was like uh well i mean normally it'll be bad because there'll be people flying every day and like the risks the risk that every day this could happen to them but no one was really flying at the time because of see earlier and uh also qantas was going to take a long time to fix it because also see earlier and so i was like well

i guess i should just give them as much time as they want to as much time as they need to do it until people start flying again they were also saying that it's not a bug in qantas it's a bug in amadeus which is like some airline software or something something that they use so it was taking even longer because of that i was like okay that's fine kings go off take your time do whatever you need to do uh and five months later they did get back to me saying um well i mean they said a lot of things but the main message that i got out of it is they uh learned to email me

to thank me from refraining from posting which i wish people would thank me for that more often but they were saying yeah thank you for letting us review and from refraining from posting you're welcome and then they were saying we appreciate you being so responsible moving into our attention which we uh so we can fix the issue which we did a few months ago now i think like they fixed it but they forgot to tell me for a while but they did and then i was like that's cool don't even worry about it what did you change what did you fix had this happen like what did you even change and they were like we cannot tell you that we're

not gonna do that uh it's just fixed now i couldn't actually test it it was fixed because i didn't have a like valid booking reference but someone else tested it for me it seemed fine and so i was like uh yeah close enough that counts it's fixed qantas has got this check we're done with this part and so that brings us to the last part which is to get permission to publish this blog post which i wanted to write and so i had to find tony abbott or his staff or something and so i was like okay so somewhere out there the government is trying to reset tonight's passport number and someone probably whoever's trying to

reset tony of its passport number can give me permission to write a blog post about it or can like read my draft and say yeah it's okay to publish that or something i don't know and i was like how do i find these people at this point i may want to call the liberal party again and so i did and they're like hey this time i don't have a security issue to report do you have tony abbott's contact details just randomly and they're like oh no tony abbott he's not a politician anymore we're not associated with him we don't have that and i was like well then why do you it's fine okay uh but they were like oh if

you want that you could just call parliament house and they're like oh they suggested that i call parliament house like i was a queen or something and i was like really okay i'll find i'll call no that's that's not right no yes i call parliament house and i was like uh hello it's me an australian citizen do you have tony have his contact details and they were like no no we wouldn't have that i couldn't even i didn't even tell them why i was calling on anything i just skipped that part and just like hey do you have his number and because i do but i'm wondering if you anyway and i didn't say that part

and um they were like no no i don't the person i talked to was like i don't have that but i can put you through to the surgeon at arms and they could help you and i was like okay hello and the third at arms was i looked up what a certain arms is apparently it's that and uh i was like hello do you have any other contact details and they were like oh his phone number and they were like oh he's not in an office he's in a temporary office right now so it doesn't have a phone but i can give you an email address or a po box and i was like yeah sure and they gave me the email

address i emailed tony abbott didn't notify of course because it was pretty easy to get that email address so that surely everyone has it so surely no one reads it i didn't bother sending him mail i think that would take him too long anyway also don't really know how to use a post office so that's not an option for me and so at this part of the story kind of just months past me like doing nothing and being like maybe the government will apply to my email maybe but like they didn't and i was kind of not sure what to do and wait i was waiting for quantus to fix the bug at this point

and then eventually one day i had this moment of inspiration or something where i was like wait a minute i can't just sit here while i'm getting left unread by the government this is not okay i have to do something about this this is like not acceptable so i asked my journalist friend and they had a really good idea which was because they're professional journalists which makes sense i should have asked them earlier but they were like oh find tony abbott's staff his like team from when he was the prime minister and asked if they had his contact details and i was like okay that actually sounds like a great idea so i looked up tony

abbott and his like gang on wikipedia when he was prime minister and there's all these ministers all these people and uh but when i was trying to find out which of them to contact it was all like this person has a former prime minister he's a retired politician and so on and so on but i want and i need someone who has like an office now that i can call as opposed to someone who's retired by tony abbott because that's the same problem again uh and i was like ah this is going to work like but then i stumbled then that towards the bottom of the list was this guy called scott morrison and i was like oh he definitely has an

office he definitely has one this is going to be great and it was it was really easy to find that phone number no emotional rollercoaster it was just like on google it was really easy and i was like can you call the prime minister's office i guess and like when i called this number like people like didn't answer for like a few seconds it was just quiet and then like there was like like two women like laughing about something in the background and i was like hello is this this and then they're like hello five minutes with office and i was like hey uh i have a time sensitive media inquiry which is what my generalist friend said

to say uh and do you have tony abbott's contact details they did not check if i was a journalist or anything by the way they were just like sure him uh then they were like i don't know how you prove you're a journalist you say your journalist number i don't know but like and they were like we wouldn't have that oh no firstly i was saying uh do you have tony abbott's contact details and the person like immediately interrupted him was like so tony i'm just gonna prime minister anymore actually scott morrison's prime minister now and i was like i know i know who's got myself in five minutes to now please i'm just wondering if you have them

anyway and they were like we wouldn't have that information because because scott morrison signed mr now i'm like yes i know and they're like but i'll check anyway and i was like okay cool uh and the person was checking for like a long time like 15 30 seconds i don't know what they were checking but they did and when they came back they were like oh actually i've got tony abbott's personal assistant mobile number is that good i was like yes that's extremely good what yes and you're just gonna give that to me thank you so much i'm here to help here help us failure as well cool let's do it and they did and i immediately called

that number and i was like hello is this turning out personal assistant and the person was like oh no i'm not turning over this personal assistant but i had a member of his staff and i was like okay um it later turned out that he was actually turning over his personal assistant's personal assistant or something so i was like okay that's fine i'm fine with that and uh he i was like hey so i found the security issue and like the passport number and i talked to the government and i want to write this blog post and the person like interrupted and was like sorry like who are you and where are you calling from

and i was like oh i mean like i'm just alex i don't like like i'm not calling from anywhere i'm just like a person uh like i work at a lesson but they don't they don't know about it like uh and the person was like i'm gonna need to call you back after i process all that and i was like that's very fair and very valid and before the and i was like before you go just wanna be very clear that i'm calling to like try and help with this and not blackmail you into anything and being very this is not like it's not i'm not saying i hacked anyone i'm not here to do a crime and they're like

okay i'll call you back and then uh i don't know half an hour later or something i got a call from a private number and i was like okay and this time it actually was turning out his personal assistant we went one layer higher and i was like hello uh are you tony oh hello and the person was like hello yes i'm tony eva's personal assistant i was like amazing incredible uh i'm calling because they're like he was like yeah i know uh i've like i got the email from asd i'm canceling tony with passport right now i know what you're talking about i've read the emails and i was like yes finally i've told so many people who

don't know what i'm talking about it's good to finally call someone who like understands and also can help because they tony have his personal assistant and uh i was like yes i want to write this blog post uh can i would i always wanted to get permission about it what he was like yeah send us a draft and like we'll review it and let us know if anything you want to change and i was like okay great um and then he was like the tony this person assistant was like these things do interest him he's quite keen to talk to you and i was like what like why why does tony ever tell you why does

turning ever talk to me and he was like oh just to pick your brain on these things and i was like at this point in the story i'm like declared emotional bankruptcy a long time ago so i'm like yeah all right sure okay at this point i owe it to my country let's go and so like we we set a time to talk and make a quick calendar event and uh it's for we call it on friday and so we set the call for like the next monday in the afternoon and the senior first institute was like are you free on monday i'm like oh let me just check my calendar i probably am free but like oh uh and

then i got another call from private number good to see the phone number's not getting leaked in this way and then when i answered the phone it was tony abbott and his personal assistant there and he had like a whole bunch of questions uh which i thought were actually pretty good questions some of them and i wanted to tell you about it professionally no that's cool i'll just memorize them and so he asked like uh firstly he was like so as soon as they answered the answer the phone i was like hello and he was like so my understanding of what happened is uh like i posted my boarding pass and this happened and so on and so on and

uh he explained his understanding of what happened which was like mostly correct and he said that anyone who can work vit could have got my passport number and i'm gonna start using that phrase now saying that you know oh yeah i've been working the it if you know what i mean and uh i was like yeah that's right they could get your passport number uh that's what happened and he was like oh so like how come you can get a uh well he said how much can a text every person get from the boarding pass and what do people like me need to know to be safe and i was like oh yeah what people need

to know because that's a good question uh and i was like well i like i am i do know about the computers i do have the tech savviness but you don't need to to do what i did like all i did was do the right click inspect l have you seen the video i didn't ask in the video but like that you didn't have to do anything that special to do this like you can all do it now not that you should just you could and um and he was like yeah okay um so then he was like well but how come like he said that like how come you can get a passport number from the plane ticket

but like uh you can't get them from a bus ticket back on back for how bus tickets used to be back in the day and i was like i think i've seen a bus ticket before and i i think that's because the difference is that the bus ticket doesn't have the pla the boarding pass has a password for a website printed on it whereas the bus sticker doesn't have you can't use it to log into a website and generally logging into websites is widely regarded as a bad idea and so that's where it all goes terribly wrong and he was like yeah okay and then he had a question about bank accounts he was like

but like if someone has my bsb my bank account my bsb and my account number they can send me money but i can't take money out without the password how come this is like that and i was like oh yeah that's also kind of a good question it's kind of confusing like basically the booking reference is a password and does like not just identify it identifies you and it like authorizes you to do stuff so that's why that happens okay fair enough and then he was like um oh that's red and then he was like you know it's a funny old world just out of nowhere and i was like and then he said today i tried to log

into a team's meeting and then he told me teams is one of those apps and the fire brigade uses the team's meeting and i was like and he said anyway i got fairly bamboozled by that and i can now log into a teams meeting in a way that i couldn't before and i was like and then he was like it's i suppose a terrible confession of how people my age feel about this stuff and then for a brief moment uh the entire world stood still the earth stopped spinning and then he said you could drop me in the bush and i would feel perfectly confident navigating my way out looking at the sun and the direction of rivers

and figuring out where to go but this ha

[Applause]

[Applause] this is possibly the most pure and powerful australian thing a person can say and it explains how we elected our strongest as our leader but also this someone on twitter sent me this and i'm just glad that things have improved in the last 10 years i'm glad that like tony's like navigation skills have improved because it seems like that would help and then he asked oh hey is there a book about the basics of i.t that i can like read to learn about how this happened so it cannot happen again and i was like oh yeah like i would want to learn about it too and i was like well like there probably is a book but like probably won't help

because like i didn't learn from a book and like he was saying that like his younger daughters like they help him with uh like computer things and i was like they didn't read they didn't read a book to learn this they kind of just figure it out like people like like like 15 year old instagram influencers they don't read books they just buy it and figure out how it all works and so uh i skipped the instagram part when i was telling him this um and so uh i told him a story about my mom instead because when when i was a kid my here's my mom stands on computers when i was a kid

uh there are too many buttons on the computers and she's afraid to press the buttons because he doesn't know what the buttons do and like that's kind of fair enough i can kind of understand that because you're like what if the button does something bad what if it like deletes everything what if it like you know there's something that i can't undo later um then i can get that because like adults don't have the sheer dumb hubris of a child because like when a kid is like trying to learn how to use like a spoon or fork for the first time like they don't know what they don't know what a fork or a spoon is or what year it is or

who the prime minister is or anything they just see the spoon and they see the like i don't know cereal and they're like like tiny baby brain is like yeah and they're like try and do it and like they probably get it wrong the first few times because like they've literally never done it before but like they don't know to be afraid of getting it wrong because they're like a kid right and eventually they get it right because they've just done enough times and they try different ways eventually they learn and get it right but like some people don't feel this way about computers they're too afraid to try and so they never get to learn they

never get to get it right and they get stuck being afraid of the buttons and so i'd always tell my mom oh mom you just gotta press all the buttons because that's how you know what they do you could just press them all and she was like hmm i don't know i don't know if that helped i don't know if this helped tony abbott but i did tell him the story i didn't call her mum i just told him the story that i'd say to my mom just to be clear and then i was like anyway can i write a blog post about all of this and he was like yeah you've let me know

about something i probably should have known about and so uh if you want to do that go for it and i was like okay excellent nice i'll send you a draft and then he was like yeah is there anything you think i need to know give us a shout and i was like thank you and that means we did it because he said i can write the blog post it's as simple as that all we need to do is that and that means that i've come so far completed the do not get arrested challenge 2020 wasn't over but i got all the way through talking about getting arrested and then also i've been talking about

hubris a lot in this talk and i kind of wanted to explain what i mean by hubris but i and uh what i mean is like the willingness to risk breaking the rules and like it doesn't mean the law necessarily just means like breaking any like rules of a game or like social rules or anything it's like for example if you're at like a fancy restaurant with like i don't know white tablecloth or something and the like the way to ask you oh hey do you want still or sparkling water and like if you say still it costs like eleven dollars and if you say sparkling costs like eleven dollars and it's all fizzy and gross i don't like it

and so oh this seems like kind of a bad choice but one time i saw someone just say oh no tap water please and the the the way it was like okay and brought tap water instead which was free and i was like what you can just do that i didn't know you could just do that and like now that i've seen them do it now i can i can do that too but like the idea is that like you if you haven't seen the rules be broken before if you haven't broken them yourself or if you haven't like experienced it the idea that the rules can be broken just may not occur to you in the first

place and so i hope that explains why i ended up doing this in conclusion to be a hacker you asked for tap water i hope that helped ah okay that's the end of that too time for quick intermission why don't we just all right okay no let's go back three so this isn't over because what about this is all up to what led up to published in the blog post and i did publish the blog post i sent a review to qantas i sent a draft to qantas and tony abbott and or tony's personal assistant and so on uh turning up his personal assistant uh read the whole presumably read the whole thing and it was like

yep no corrections it's fine it's perfect nothing to change and i was like okay great and i know you're wondering which was what was the what was the internet response to this what was what was the comment section like and so i wanted to sort of take you through what the comment section was like and also what journalists wrote about it and i just kind of wanted to take you through what it was like for me for those like one or two days afterwards uh first they got completely dragged by these journalists who called me a hacker in double quotes that's kind of unrecoverable also this is the picture that they put like me like looking at tony

and then in the article they said the self-described hacker like this is devastating reputationally and they talked about stuff and then in another article they say oh australian tech expert this is far from the truth and in another article they say oh a curious blogger i guess that's kind of true but they also said i did it by accident and like like sort of and then this other website was like oh firstly hacker in double quotes secondly he says he could do it to you too i didn't say that and lastly said he did it as a dare who dared me to do that who would do that who would damn he's like absolutely not

and then this other article uh said the one thing that i was too afraid to say which was the lesson is never post on instagram and i was like oh thank you thank you so much for saying that i couldn't but you could you walked so i could run article uh and then also and they may be wondering what about my twitter dms of course and these uh i'm telling this random person my twitter i'm thinking of making a presentation about all the weird twitter games i got and the the person is like there's some weird ones and i'm like no they're very normal most of them were actually really nice most people were just saying that they liked

it and i was like oh okay thank you that's actually really nice oh then there's a bunch of journalists saying like hey you know keep in touch if this kind of thing happens again i'd love to hear about it love to write more about it and i was like hey i don't do this this is not my thing like this is just like an accident like you've this is a big misunderstanding i'm not gonna like how do you think i don't have like a this is not gonna be a thing uh then i got a quick dm from tony he needed help with netflix and actually helped about that don't even worry about it it's fine

then i got this message from my friend who was like is this what you wanted with this picture and the answer is no this is far beyond what i could have possibly wanted for this whole experience uh then i got if i can be vulnerable on stage for a moment then i got completely dragged by this tweet because this person who says prior to scrolling any further i spent two minutes imagining the situation in which tony had been posting on instagram about the scott pilgrim movie with this just cut off here

unrecoverable is what i would call that and then this then this like kind of famous person like was tweeting like replying to a tweet or something tweeting at me saying hey do you need a lawyer and i was like nope i'm good i haven't done a crime and then they were messaging me being like okay so here's the number some lawyers i know and like this person's really good i'm like i still don't i still don't need one and they were like oh well i'm sorry i thought it was a star avatar this was my twitter picture at the time and then i was like excuse me what what was the star every time what are you

what are you talking about and they're like oh i just thought you were 12 because you know and they say a whole bunch of things about how they thought i was talking about writing and they say i'm so sorry and i was like thank you so much for your help i still don't need a lawyer it's okay though uh this random person in the youtube comments said he's not a hacker just some degenerate but like i cannot find it within myself to disagree this person this person emailed me to tell me that google chrome is a kind of web browser and that i could have said where could have said browser instead of google chrome and i was like thank you

so much this person just emailed me to say hong kong this is the best one then i got this other email from anonymous and they said hey there's a 20 year old chat room it's got a bunch of semi-famous semi-literate elite jerks in it uh and there's one canadian guy anyway if it sounds mysterious and cool don't worry it's not i'm just making it sound that way anyway if you want to join our discord illuminati here's the link to like join the discord link when i joined there was this guy saying i'm going to go outside and yell hey google if someone pays me to stop so like it's going good i'm still on there

these people seem really nice uh then some random person said hey you thought about doing a book and i was like no i didn't ask them like what would the book be about and they're like oh just you know about like your whole life story and like how you got to this point and i was like i haven't really done my life story yet i didn't think that would and this other person was like oh hey have you thought about doing a movie and i was like really i don't think this would make a good movie i don't think this is the movie they didn't get back to me but the best the best response i got to

all this was an email i'm about to show you from my mom here it is and it says yes firstly yes it is on subject line uh it says am i really going to read this i guess i'm going to read this it says hi mom oh i mean hi alex i lost outline of this one and the spoon and it was such a weird roller derby tale that i was so honored to be included in the trial and error write-up write write your own adventure i also laughed a lot at your i was so stuck by you can by the you can drop me in the middle of the bush reference that you just had to review your notes and i was

thinking maybe we could do a podcast okay good thank you mom thank you thanks mum um um and then i got this twitter dm from someone who says hello i work on seven sunrise which is like a early morning tv show in sydney and i think it's in other places we're wondering if you'd like to go on the show and discuss this and i was like well my mom would really like that so i'm going to do that but before i show you the clip i wanted to show you a message that i got from one of my friends who's currently a uni student about a week and a half ago and they say my crim criminology course just showed

you a sunrise clip as part of our tutorial today and they i messaged the lecturer and i emailed the lecturer who sent me the slides and indeed here's one of the slides about self-control and cybercrime and my friend says currently in a breakout room discussing what motivated you to commit this crime and i was like what have i done this person's a criminology professor they probably kind of know a lot about crimes have i done a crime i didn't think so but anyway then i emailed them and they're like oh no it's fine it was about something there's some difference between what i did in a crime i don't know anyway here's a slide where they say

apply the general theory of crime self-control through to the actions of the hacker so if all of you could just go into breakout rooms and discuss this and come back we'll talk about it later uh but first let's talk about this video from sunrise uh i went to their studio at like eight in the morning so i'm like really sleepy and it was really dark in the in the room and it had like blue lights and stuff and i was like hmm is this is this going to be what i think it's going to be about and they're like oh yeah bring your laptop and i was like really why what am i going to do and

they were like oh just as a prop and before i play this video i want to show you i want to tell you a few things about it firstly what you're about to see has not been edited by me except that i've cut out like boring parts of me telling the story that i just told you so you'd have to watch that again i've not added anything to this video everything you're about to see was made by the good people at seven sunrise nope that's my only disclaimer

now when former prime minister tony abbott's boarding pass was hacked a few weeks back it raised a lot of questions about online security now the hacker responsible has come forward to share his advice on keeping your data secure i know it's kind of him isn't it um eddie has this story yes oh my gosh this is a good warning for everyone alex hope was able to get access to tony abbott's phone number address even passport number when the former prime minister innocently posted a photo of his boarding pass online who hasn't done that but alex says he was hacking for good to help expose a security loophole that has now been closed former prime minister tony abbott has been

hacked after posting a photo of his boarding pass on social media it was the hack that made headlines tony abbott's private details exposed in a very public way and this is the man responsible professional hacker alex hope my job is to hack the place that i work over and over again and then show them how we did it so it's kind of like my job is metaphorically to commit crimes and then write very very detailed confession letters this time the confessional took the form of a blog post detailing how alex gained access to the former prime minister's phone number and passport number after mr abbott posted this photo on social media alex used the booking

reference number to gain access to mr abbott's qantas login from there he accessed the information behind the page web pages have the part that you can see and they also kind of have the inner workings behind the scenes kind of like for a clock there's all the cogs that are inside and it's really easy for anyone to see all the inner workings of a web page you just right click on the page and click inspect element it's not hacking but it is technically not allowed alex notified quantas of the breach straight away so it could be fixed qantas has now closed that loophole it says our standard advice to customers is not to post pictures of the boarding pass

or at least to obscure the key personal information if they do because of the detail it contains we appreciate alex bringing this to our attention in such a responsible way so we could fix the issue which we did several months ago tony abbott also called alex for please explain most hacks are much more destructive in july the government warned of state-based hacking of australian computer networks and systems and around one in three of us will have our personal data breached at some point hacking is just like you know learning to do a martial art or something it's you could use it to do bad things or you could use it to do good things and be careful who has your email

because you never know what digital doors it can open really interesting chat with alex there safe to say i spent the weekend updating all of my security passwords and i urge you guys to do the same that two-factor authentication so easy to do and an easy way to protect yourself online i bet he's going to get a lot of job offers from corporates in australia or asia or something like that kid's really smart yeah and so are all his mates all his mates do the same thing fortunately they're doing it for good yeah that's a great story thanks eddie [Applause] thank you very much

so good alex i was just laughing my head off um so we have a lot of questions and i'll just yeah okay go for it so morton says hey alex wondering what other things like boarding passes might be considered passwords that people may not realize any from the top of your head what other things are passwords that people may not realize now boarding passes like booking references on boarding passes are kind of the only thing i can think of that is like it's not a sensitive information by itself but it's a password to something and you don't realize because like when you type in a booking reference onto the web page onto like a onto the managed booking page

it's not like dots when you type it you actually see the layer that's not obscured like a password but it actually is one but everything else that i can think of that's sensitive like you know your license number or your password number itself which is not a password it's just it's something that identifies you so nope sorry i can't it can anyone else no i can't think of anything that's good that was a hard question what percentage a percentage of atlassian's revenue is from selling its own data on the dark world i mean you can just go look at the dark web post and to figure it out yourself i mean it's all just right there

we don't call it we don't it doesn't say it's from the last year you'll figure it out you'll figure it out have you played around with similar vulnerabilities on platforms other than qantas is this an airline industry issue or simply a qantas issue right uh just to be very clear i don't like play around doing this this is not like a regular thing that i do this is just an accident my friend messaged me um i don't know if it happens on similar airlines i can't check so i don't have a booking reference but i didn't have a booking reference to them uh my understanding is that it might affect other it may affect other airlines

because qantas said that the problem was with amadeus which is like software that uh many other airlines could use and so presumably it could well it could be that anyone else using amadeus software has the same vulnerability but it could not be i don't know i am like not an airline security expert do you think there should be clearer laws around cybercrime and reasonable disclosure in australia yes there should be clear laws people like me should not be allowed to get away with this kind of thing uh around a reasonable disclosure i've been i don't know i don't really know what the actual laws are so i don't know if they should need to be if they need to be more clear i guess

it'd be good to know how much time you're supposed to give someone i've seen like the industry standard in 90 days but i'm just copying that from seeing everyone else doing it i don't think i don't know if it's a law or anything so like maybe but once again i insist i'm not a lawyer so i don't know which politician have you got your sights on for the next edition of not getting arrested so like i don't know i really have to be clear that's not like my regular thing maybe like look if some maybe if someone sends me another message being like hey here's another politician posting their boarding pass i'll be like really that seems like a coincidence but

once again this is not my regular thing but i do have you notified asd how easy it is to socially engineer parliamentary staff oh i don't think i remember socially engineering any parliamentary staff so no i have not notified them of that fact thank you so much for asking they might be referring to the way you got the in contact i'm not sure oh the thing about where i was like hello i'm not saying i'm a journalist but i'm saying what a journalist would say uh no i kind of just kind of thought that was how it all worked i mean if someone wants to invent a scheme where journalists have journalist numbers that they have to say over the

phone then yeah i guess but i can't see that being used very much oh when are you writing a book on how to work the i.t i don't have any plans to write a book about this but if i did i would have to really strongly stop myself from calling the book how to work the id is that your face on the mug in your pick and where can people buy them yes that is my face on the mug in the picture no you cannot buy one uh do you know i got that mug from that mug was a gift from my mum out of nowhere and it has various other photos of me around it on like the other on the other

side of the mug that you can't see and so this year i said hey mom that was a really good mug this year can i have a mug with that photo of me drinking the other mug on it and so now i have that one and i will keep you updated about next year would you go on sunrise again would i go on sunrise again absolutely not my mom is already satisfied what what is your preferred method of secure authentication what is my preferred method of secure authentication i know those words mean separately but uh not having anything secret and not having to log into anything in the first place i like this one did you invite tony

abbott to b-side so he can learn to work the i.t i actually thought you would have done that kylie i didn't want to step on your toes you know i thought like well he's your buddy oh yeah i mean like maybe he don't have his number maybe that's it yeah no he lives in sydney so i guess he couldn't be here today um there's so many uh any tips for the do not get arrested challenge 2021 yes my number one tip for do not get arrested challenge 2021 if you're participating is do not do a crime okay i think we'll have to wrap it up now we've got our next speaker waiting in the wings but thanks again

alex another big round of applause for alex